Hello everyone, for my first blog in this blog, I will explain How I can Account Take Over any Account .
Let’s Begin
reconnaissance
While I do Subdomain Enumeration I looked at Sub Domain it was interesting It was Like This { app.dev.Target.com } So The Subdomains It was a copy of the original site
So Now After I finish Subdomains Enumeration I Start to browse The Subdomains one By one And try all The functions to understand The Target
So While I Browse The Main Domain I looked at the login Function The registration method was by number only , So I entered my number the verification was OTP 4 Digit !
I was surprised when the first thing that came to my mind was the brute force of the number But unfortunately They Have A Rate Limit
So I Start To Find a Method To Bypass It
I Try To Changing IP origin using headers =>
X-Originating-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Host: 127.0.0.1
X-Forwared-Host: 127.0.0.1
But it didn’t work
—
And also I tried to Using similar endpoints
But it didn’t work ):
—
And also I tried to Adding extra params to the path
But it didn’t work ):
I tried a lot of Method to Bypass it but it didn’t work
So I said let me move on To Other Functions
But I remembered The interesting Sub domain { app.dev.Target.com } Why don’t I try it To Brute Force The OTP ?
I tried but unfortunately it Have A Rate Limit
— — — — — — — — — — — — — — — — — — —
But I Said Why Not To Try To Bypass This Also ?
So I try To Changing IP origin using headers
X-Forwarded-For:
And it worked ! I succeeded To Bypass The Rate Limit !!
So Now I can Take Over any Account Just by knowing the Phone number !
Takeaways :
- Don’t Give Up
- Try All The Methods To Bypass (:
Thank you for reading